CYBERWARWide Range of Possible Targets for Russian Cyberstrikes, from Infrastructure to Smartphones
For years prior to Russia’s invasion of Ukraine, Vladimir Putin’s government waged cyberwar aimed at destabilizing the country’s infrastructure, government, and financial systems, including several distributed-denial-of-service (DDoS) attacks in the run-up to this week’s assault. What are Russia’s cyberwarfare capabilities, and what would a cyberattack against the U.S. look like?
For years prior to Russia’s invasion of Ukraine, Vladimir Putin’s government waged cyberwar aimed at destabilizing the country’s infrastructure, government, and financial systems, including several distributed-denial-of-service (DDoS) attacks in the run-up to Thursday’s all-out assault. The Harvard Gazette’s Colleen Walsh spoke with Lauren Zabierek, a former intelligence officer in the Air Force and currently director of the Cyber Project at the Harvard Kennedy School’s Belfer Center for Science and International Affairs, about Russia’s cyberwarfare capabilities, and what a cyberattack against the U.S. might look like. The interview was edited for clarity and length.
Colleen Walsh: Russia launched numerous cyberattacks against Ukraine in the days before Thursday’s military strikes. What’s the potential for similar attacks against the U.S.?
Lauren Zabierek: Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, put out a “shields up” warning last week noting that all organizations in the U.S. are at risk. Right now, we don’t have any indications of immediate attack, but we do know that Russians have at least conducted reconnaissance activities against our critical infrastructure for years and may have implanted some sort of tools to impact these services in response to U.S. or allied foreign policy action. That’s one kind of incident we may see, or we could be collateral damage from attacks on Ukraine, or even be targets of more tactical operations like DDoS attacks.
Walsh: What can countries do to protect themselves? And how much burden falls on the private sector and individual actors to look out for their own security?
Zabierek: I can’t speak to other countries, but here in the U.S., it’s definitely a function of public and private cooperation. Cybersecurity is a long game. It’s a strategic investment, and engagement between companies and federal and state government is vital. It also depends on an individual’s awareness and action. It’s our own devices, and our organizations’ devices and systems, that we need to be protecting. The U.S. military, through the U.S. Cyber Command and other government agencies, is certainly doing what it can to lean forward and identify potential attacks in international spaces, but it can’t see everything. And of a lot of activity is already happening within our own domestic networks. Monitoring there comes down to our private sector — private businesses and organizations — with advice and some assistance from CISA and the FBI. But the government is not responsible for private-sector networks. And since most of the critical infrastructure in this country is operated within the private sector, it really comes down to individuals being prepared and being secure in their practices.
Walsh: How should companies and individuals respond?
Zabierek: First, ensure that you have strong random passwords across all of your accounts. If you’re using the same credentials, and especially if you’re using the same weak password across all your accounts, an attacker can use that to access your email, your social media, your banking, and weaponize your personal information, steal intellectual property or sensitive organizational information, access sensitive systems, and potentially disrupt services. Another step is to patch vulnerabilities. The little icons that appear regarding updates on your phone, or your computer for your apps or your device — update those, they are filling holes that malware could potentially exploit to access your systems. And then, of course, being very mindful of any sort of emails with attachments or links, or anything that you can click on and open. But we should keep in mind that Russia is very sophisticated in this domain, and they’re going to use techniques that make it seem like those emails or texts are legitimate.
Walsh: President Biden has said that he doesn’t want to send troops to Ukraine. What are the chances that the U.S. or its allies will use cyberwarfare against Russia?
Zabierek: As he mentioned in Thursday’s press conference, the U.S. is prepared to respond to cyberattacks. Further, we do know the military, through U.S. Cyber Command, works to defend forward, to be able to contest actions in cyberspace that don’t necessarily reach the threshold of war. So, trying to identify and stop any sort of attacks from reaching us, but also gathering intelligence, working with our partners and our allies, both from a military and law-enforcement perspective, sharing information, trying to coordinate any sort of operations — I think we’ll see that.
Colleen Walsh is Harvard staff writer. This article is published courtesy of the Harvard Gazette, Harvard University’s official newspaper.